On August 8, news broke that the Securities Exchange Commission and the Commodity Futures Trading Commission charged a group of 10 broker-dealers and a dually registered broker-dealer and investment advisor with failure to preserve information from private messaging applications, with total fines reaching $549 million. This action, combined with earlier charges in May ($15 million and $7.5 million against two institutions) and September 2022 (impacting roughly 20 firms with fines of $1.8 billion total), has brought total fines for record-keeping failures of messaging applications within financial institutions over the last year to roughly $2 billion.
In this Q&A, experts from across FTI Consulting discuss escalating scrutiny over “off-channel communications,” or “emerging data sources,” such as modern communications tools, collaboration platforms, personal devices and chat applications, and what financial institutions can do to either respond in the wake of charges or reduce their risk in the next crackdown.
A broad cross-section of regulatory activity underscores just how valuable and risky data has become in the current business environment. Can you speak to the new requirements surrounding the governance of emerging data sources and off-channel communications and some of the key issues around the latest enforcement actions?
Jake Frazier, Senior Managing Director, FTI Technology: Regulators have made clear that if emerging data systems contain relevant business communications, documents or other records, they must be governed, monitored, collected, reviewed and produced just as traditional sources must be. Otherwise, a company may risk severe penalties, as we’ve seen in this recent SEC and CFTC sweep of 11 financial institutions. While today’s headlines are focused on the millions in fines issued in August, the seriousness and reality of enforcement trends around modern forms of communications, and failures to properly preserve, monitor and manage them are evident in a timeline of events that have been escalating for more than a year.
John Goff, Senior Director, FTI Technology: The shift to the modern communications platforms (and subsequently the tremendous volume and variety of data types that result from them) now used within organizations has happened very quickly, leaving many organizations ill-prepared to build proper governance and controls around them. And as new ways of working and communicating have evolved, there’s been a simultaneous departure from governance, compliance and e-discovery activities that were previously considered standard practice. Regulatory agencies now recognize this shift and are taking a strict stance toward keeping financial institutions accountable to ensuring their compliance requirements are extended to all channels where business communications are taking place (including instant messaging, chat, mobile devices and voice recordings).
In parallel, handling these off-channel communications, or emerging data sources, is highly complex and technical along every facet of regulatory enforcement, from identifying these sources, governing their use, incorporating them into proactive compliance programs, ensuring they are captured within an organization’s compliance archive, forensically collecting that data in the event there is a breach of policy, responding to regulatory inquiries, and conducting e-discovery across dozens of different communication platforms.
What are some of the steps an organization should be prepared for if they become a target of this enforcement trend?
Anthony Primiano, Senior Managing Director, FTI Consulting’s Broker-Dealer Regulatory Governance and Disputes practice: Whether a financial services institution is already in a position of reacting to enforcement or audit requirements around this issue, or looking to proactively mitigate before regulators come calling, the fundamental requirements are the same. Organizations must first, and urgently, review and revise policies and procedures for data preservation and monitoring to ensure they account for all relevant sources of business-related emerging data and potential off-channel communications, and explicitly define which platforms are approved. If they are the subject of an action, they will be required to establish frameworks to address issues of non-compliance, including consequences that include compensation, promotion and termination. This is also an important step for organizations that are looking to reduce their exposure to future charges.
Jason Sabot, Senior Managing Director, FTI Consulting’s Financial Services practice: We’re in the midst of handling these issues for clients that were involved in earlier waves of enforcement. For example, for one financial institution that was part of the SEC and CFTC actions in September 2022, we served as an independent compliance consultant to review and assess the organization’s policies, procedures and technology used to manage off-channel communications. In addition to evaluating the state of policies, training, communications supervision and instances of non-compliance, and providing recommendations for how to enhance existing processes, the team helped the client strengthen the use of its preservation platform.
Technology is a significant factor here, in both the problem and the steps to solve for it. What are some of the most challenging technical issues that come up in these matters?
Goff: There are many, from the foundation of conducting data mapping to identify the types of tools commonly used across the organization, resolving identity management issues, to the tools and workflows needed to effectively preserve and produce all relevant information, including from employee-owned devices, in the event of a regulatory inquiry. We’ve also seen a notable gap in knowledge and technical proficiency around selection and implementation of technology solutions to manage and surveil off-channel communications. Resolution agreements have included requirements for firms to put such tooling in place, and many are struggling to identify and evaluate the most effective technology platforms, implement them and architect supporting processes around them.
Firms that have been impacted are required to engage an independent compliance consultant to audit their processes. Our teams have extensive applicable and direct experience in this arena. Are there specific skillsets financial services institutions should look for in a compliance partner?
Sabot: First and foremost, a partner should be able to show demonstrated experience handling compliance-related matters and establishing compliance programs in the financial sector. Additionally, deep understanding of SEC, CFTC, FINRA and DOJ requirements and what these agencies consider as acceptable is a must.
Primiano: I’ll add that data analytics proficiency for structured (financial) and unstructured (communications) data and robust capabilities to implement governance policies, procedures, training and technology are essential. Moreover, partners should be grounded in the fact that while these actions are U.S.-centric, the global regulatory environment is also intensifying. Providers should be positioned to help their clients scale compliance across international jurisdictions as well.
Frazier: Technical proficiency is rare among many consultancies but is essential for addressing gaps in off-channel communications governance. Providers should be able to deeply understand their clients’ technical needs and challenges, as well as how those align to the unique features and capabilities available in various technology platforms.
Learn more about off-channel communications legal and compliance risks here.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.